fix(security): implement all 15 security fixes from penetration test V1

Security audit (2026-03-31): 5 HIGH + 10 MEDIUM issues, all fixed. HIGH: - H1: JWT password_version mechanism (pwv in Claims, middleware verification, auto-increment on password change) - H2: Docker saas port bound to 127.0.0.1 - H3: TOTP encryption key decoupled from JWT secret (production bailout) - H4+H5: Tauri CSP hardened (removed unsafe-inline, restricted connect-src) MEDIUM: - M1: Persistent rate limiting (PostgreSQL rate_limit_events table) - M2: Account lockout (5 failures -> 15min lock) - M3: RFC 5322 email validation with regex - M4: Device registration typed struct with length limits - M5: Provider URL validation on create/update (SSRF prevention) - M6: Legacy TOTP secret migration (fixed nonce -> random nonce) - M7: Legacy frontend crypto migration (static salt -> random salt) - M8+M9: Admin frontend: removed JS token storage, HttpOnly cookie only - M10: Pipeline debug log sanitization (keys only, 100-char truncation) Also: fixed CLAUDE.md Section 12 (was corrupted), added title.rs middleware skeleton, fixed RegisterDeviceRequest visibility.
2026-04-01 08:38:37 +08:00
parent 3b1a017761
commit e3b93ff96d
26 changed files with 597 additions and 220 deletions
--- a/crates/zclaw-saas/src/config.rs
+++ b/crates/zclaw-saas/src/config.rs
@@ -3,10 +3,6 @@
 use serde::{Deserialize, Serialize};
 use std::path::PathBuf;
 use secrecy::SecretString;
-#[cfg(not(debug_assertions))]
-use secrecy::ExposeSecret;
-#[cfg(not(debug_assertions))]
-use sha2::Digest;

 /// SaaS 服务器完整配置
 #[derive(Debug, Clone, Serialize, Deserialize)]
@@ -287,11 +283,9 @@ impl SaaSConfig {
                }
                #[cfg(not(debug_assertions))]
                {
-                    // 生产环境: 使用 JWT 密钥的 SHA-256 哈希作为加密密钥
-                    tracing::warn!("ZCLAW_TOTP_ENCRYPTION_KEY not set, deriving from JWT secret");
-                    let jwt = self.jwt_secret()?;
-                    let hash = sha2::Sha256::digest(jwt.expose_secret().as_bytes());
-                    Ok(hash.into())
+                    anyhow::bail!(
+                        "生产环境必须设置 ZCLAW_TOTP_ENCRYPTION_KEY 环境变量 (64 个十六进制字符, 32 字节)"
+                    );
                }
            }
        }